Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.

Ross Gosling | 01/18/13 at 12:56pm Edit
Tutorial: How to assign prize money

(3) Responses

See a threaded view of answers?

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

• 
  Last edited:
  01/18/13
  4:40pm
  Dbranes says:

  Wordpress has a number of security issues. It is notoriously vulnerable to SQL injection attacks for example and the open source nature of Wordpress makes it relatively easy to gain unauthorized access to files.
  

  
  
  I don't agree if they mean the Wordpress core, it's well maintained, tested by millions and security patches are shipped out fast.
  
  Here are some ideas for both wordpress and other cms:
  
  - rule 1: always assume your site (wordpress or not) will be hacked, then you must have a recovery plan ;-)
  
  - use the latest cms version
  
  - use only quality hosting
  
  - use htpasswd on the backend (wp-admin/* and wp-login.php)
  
  - consider cloudflare.com to block threats and limit abusive bots
  
  - don't use ftp
  
  - use only "well tested" plugins/extensions
  
  - consider the security plugins (like BWS for wordpress)
  
  - don't forget the backups
  
  Hope this helps
  
  

  Post reply

  Previous versions of this answer: 01/18/13 at 4:40pm

• 
  Last edited:
  01/18/13
  5:21pm
  plovs says:

  WordPress is a lot more secure the your clients remark, if we compare the number of installs and the number of exploits then the chance that you will get hacked is small. The list mentioned above covers 99% of the use-cases. Main points:
  
  - stay up-to-date
  - move wp-config.php
  - don't use wp_
  - don't use admin
  - good unique passwords
  - use good plugins
  - reduce the rights of your users as low as possible, do they have to be admin?
  
  If you run into trouble it will be because your install is out-of-date, has funky plugins (tim-thumb), your users use: admin:password, or tell somebody their password.
  
  Some good links for further research:
  
  - http://codex.wordpress.org/Hardening_WordPress (Must read, like the whole of the Codex)
  - http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ (What kind of malware are we most likely to meet)
  - http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ simple security measures
  - http://www.wpmayor.com/plugin-reviews/top-10-essential-wordpress-security-plug-ins/ excellent list of plugins to test
  
  Bonus: be as up-to-date as is possible without puling WordPress from SVN:
  
  - http://wordpress.org/extend/plugins/hotfix/

  Post reply

  Previous versions of this answer: 01/18/13 at 5:21pm

• 
  Last edited:
  01/20/13
  5:02pm
  phppoet says:

  I completely disagree with your clients remarks. He may have a bad experience of open source scripts with sql injections but that does not make popular open source cms more vulnerable for sql injection and other security related issues. On contrary Active communities developed CMS always finds quick ways against latest vulnerablity.
  
  as per my opinion wordpress is most secure among all open source scripts i have experienced.

  Post reply

This question has expired.

Ross Gosling voted on this question.

Current status of this question: Completed

Please log in to add additional discourse to this page.

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.